[pve-devel] [PATCH manager] pveproxy: add LISTEN variable to /etc/default/pveproxy

[Wolfgang Bumiller]

That way one can explicitly set the listen address.
Useful for single nodes to limit the GUI to 127.0.0.1, or in
clusters to limit it to a private cluster network.

(Note that proxied cluster requests use the hostname so it
should usually contain either nothing, the hostname, or the
first IP the hostname resolves to, otherwise proxied
requests will either hang a little, or simply not work.)

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
Also note that this is NOT a good way to choose between IPv4 and IPv6.
The default logic was chosen to make it hard to break cluster
communication. If the hostname resolves to IPv6 first and you
specifically listen on IPv4, other cluster nodes will first try
IPv6 and fail.
So personally I recommend using the actual $hostname, or some fixed
ip for single nodes, and nothing else.

 PVE/API2Tools.pm        | 9 +++++++++
 PVE/Service/pveproxy.pm | 7 +++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/PVE/API2Tools.pm b/PVE/API2Tools.pm
index f1df2384..47cce416 100644
--- a/PVE/API2Tools.pm
+++ b/PVE/API2Tools.pm
@@ -230,6 +230,7 @@ sub read_proxy_config {
     $shcmd .= 'echo \"POLICY:\$POLICY\";';
     $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
     $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
+    $shcmd .= 'echo \"LISTEN:\$LISTEN\";';
 
     my $data = -f $conffile ? `bash -c "$shcmd"` : '';
 
@@ -252,6 +253,14 @@ sub read_proxy_config {
 	    $res->{$key} = $value;
 	} elsif ($key eq 'DHPARAMS') {
 	    $res->{$key} = $value;
+	} elsif ($key eq 'LISTEN') {
+	    die "invalid listen address: '$value'\n"
+		if $value !~ /^([^:]+)(?::(\d+))?$/;
+	    my ($host, $port) = ($1, int($2));
+	    die "invalid port: '$port'\n"
+		if $port > 0xFFFF;
+	    $res->{LISTEN_HOST} = $host;
+	    $res->{LISTEN_PORT} = $port;
 	} else {
 	    # silently skip everythin else?
 	}
diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index 7d39900a..15783daa 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -64,8 +64,11 @@ sub init {
     my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
 	die "unable to open lock file '${accept_lock_fn}' - $!\n";
 
-    my $family = PVE::Tools::get_host_address_family($self->{nodename});
-    my $socket = $self->create_reusable_socket(8006, undef, $family);
+    my $host = $proxyconf->{LISTEN_HOST} || $self->{nodename};
+    my $port = $proxyconf->{LISTEN_PORT} || 8006;
+    my $family = PVE::Tools::get_host_address_family($host);
+
+    my $socket = $self->create_reusable_socket($port, $host, $family);
 
     my $dirs = {};
 
-- 
2.11.0